Part One: Protecting Critical Infrastructure
When the U.S. Department of Energy’s Office of the Inspector General (OIG) released a report in January 2011, blandly titled “Federal Energy Regulatory Commission’s Monitoring of Power Grid Cyber Security,” (www.ig.energy.gov/documents/IG-0846.pdf) the ensuing headlines were dramatic: “Report: Efforts to Secure Nation’s Power Grid Ineffective,” appeared Feb. 1, 2011, on Threat Level, a Wired magazine blog. Two days later, the Christian Science Monitor charged: “America’s power grid too vulnerable to cyberattack, U.S. report finds.”
It’s true: The OIG found many problems with the way standards for protecting the nation’s bulk electric system, or power grid, are being developed and approved. But understanding the problems listed in the report, and how they came into being, requires understanding a regulatory arrangement that is, even by U.S. government standards, labyrinthine. The short version:
- In 2005, the Energy Policy Act gave the Federal Energy Regulatory Commission (FERC) authority to oversee the nation’s power grid: a network of about 1,600 entities operating at 100 kilovolts or higher. (“Power grid” does not refer to the systems that distribute power to end users, and that are under the jurisdiction of state public utility commissions.)
- The FERC’s authority over the power grid is fragmented. It is, ultimately, responsible for approving cybersecurity standards for the power grid – but it doesn’t develop the standards. That task falls to a nonprofit industry group, the North American Electric Reliability Corporation (NERC), which was founded in the 1960s by the electric utility industry to promote the reliability of bulk power transmission.
- The NERC has sole authority for proposing reliability standards for the power grid to FERC for approval, and for enforcing those standards through its eight regional entities. By law, FERC cannot alter the standards, and it is directed to “give due weight to the technical expertise” of NERC and its regional entities.
- The standards at issue in the OIG’s report are the Critical Infrastructure Protection (CIP) standards, which were approved by FERC in 2008, and most of which deal with aspects of cybersecurity, from personnel training to access and management controls to response planning.
- NERC’s develops these standards in collaboration with industry. Sam Brattini, executive consultant with the international energy firm KEMA, once chaired a couple of NERC’s standards drafting teams; the process, he said, is time-consuming: “The standards are always in a constant state of revision,” said Brattini. “It takes at least two years to make a revision to a standard or to write a new standard.” The drafting team sends standards to industry for comment, integrating useful commentary into two or three ensuing revisions before the standards are sent back to industry entities for balloting. “If there are more than two negative ballots on the standard – which there always are – the drafting team must address those negative ballots and the associated comments,” Brattini said. Once standards are finally approved by industry, they are sent to the NERC board of trustees, who – if they also approve – file the standards with FERC for approval.
This arrangement makes more sense than it might seem at first glance: Nobody is more knowledgeable about the security needs of power grid infrastructure than the people who own and operate it. However, as the OIG concluded in its report, the process by which the bulk power industry essentially writes its own standards has not, so far, created strong reassurances about the security of the grid.